So... here's what I have...



The $_GET['UserID']; I am not sure serves any purpose yet.

WHERE UserID = 1 ... I think "1" needs to be replaced with something. This will show only UserID 1, I want to be able to visit any profile.php page, e.g. profile.php?UserID=4 and for UserID=4 to show that specific user's information.

Also, I would like to be able to create a link automatically on a user's account page, such as...

Your profile is located at... academic-self-help.zymichost.com/profile.php?UserID=4 for example...

Please help with these two tasks, thanks!

This is just testing and getting it to work, of course they'll be more information than just first and last name.

Which brings me to another task, is it possible for me to allow them to show or hide last name? I would imagine so, I remember using a code that allows you to show or hide email - guess it would work that same way.

Well, you almost have it done. You need to set $_GET['UserID'] to a variable, then you can use that as the id throughout the page. So for instance, $user_id=$_GET['UserID']. Then, for the mysql query, replace the UserID = 1 with UserID = '".$user_id."'

You can then echo $user_id into html code to have the user_id in the html. So for the links, you can just add <?php echo $user_id; ?> where ever you want the user id to be.

You can have the user hide anything they want. You can have another database variable called like, "name_hidden" and if its set to 0, then the name is visible. Then in your profile page, make an if/else statement that pulls the info about the users settings, then determines if the name is hidden, and if not, display the name. You can then add an edit settings page where the user can edit these settings anytime they want.

I hope this has helped you.

Why bother assigning the $_GET var? Why not just use it as it is?

And you do need to check it is a number, else bad things will happen.

And you need to make sure there is a user with that ID.

swordz

<?php include('base.php');

$user_id= "$_GET['UserID']";

$result = mysql_query("SELECT * FROM users WHERE UserID = $user_id");

while($row = mysql_fetch_array($result))
{
echo $row['FirstName'] . " " . $row['LastName'];
echo "<br />";
}

?>

you can just declare $user_id ="user_id";

instead of he $_GET unless you are pulling it from a URL which i doubt you are.

That would just set $user_id to the char "user_id"... if you want it from a post from the previous page, use $_POST['user_id'], wanna use sessions? use $_SESSION['user_id']

This is a helpful information especially for me that is also a newbie in php.

Just make sure you do:



That will cut the probability of an SQL Injection about in half (AFAIK it can be avoided).

EDIT: D: oh darn... just saw that this is a very old topic. Sorry for bumping :C

Hi 7-sided Dice,
IMO: Any constructive (updated, or the like) material directly pertinant to a topic is never considered a bump, but rather an enhancement to the already expounded. I think you may be surprised that over the course of time that your injection will prove to be a valuable contribution in this topic to the PHP novice.
Crickets! I read it and looked back through the complete thread and I found it useful (for future reference).

Thanks.